[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: bare nuts on solaris 8/9

To: openldap-software@OpenLDAP.org
Subject: Re: bare nuts on solaris 8/9
From: Chuck Pierce <chuck@onyxsys.net>
Date: Tue, 17 Sep 2002 11:55:22 -0500
Content-disposition: inline
In-reply-to: <3D875257.2090700@ae-solutions.com>
References: <20020917152640.GA18909@mobile.onyxsys.net> <3D875257.2090700@ae-solutions.com>
User-agent: Mutt/1.4i

ok, changing access for my client from auth to read worked, but..
    
when doing an ldap search (using the password grabbed from the
/var/ldap/ldap_client_cred, I was able to see the userPassword,
because the /var/ldap/ldap_client_cred file is chmod 644.  But,
when I chmod 600 the cred file I can authenticate passwords, but
not see anything else (as a non root user).  What gives?  Does pam
run with root privledges but not nss?  How do I make it so that
the system knows what the ldap client password is, but not any
users on the system (or does that require more sophisticated auth
like sasl)?

thanks for your help.  this stuff is slowly making sense.

- Chuck


On Tue, Sep 17, 2002 at 11:03:35AM -0500, Scott Moorhouse wrote:
> Chuck Pierce wrote:
> >I have gathered that there are three essential files that you need:
> >/etc/nsswitch.conf (change passwd and group to "files ldap")
> >/var/ldap/ldap_client_file (to tell solaris where things are)
> >/var/ldap/ldap_client_cred (the username/password for ldap)
> >
> >If you setup just those things, you can do listusers, ls, getent, finger, 
> >etc
> >(anything that pulls user info), but you can't authenticate passwords (eg, 
> >no
> >telnet, ssh, su, etc).
> > 
> >
> My experience is only with Solaris 9, but:
> You should be able to authenticate users even with this setup (through 
> pam_unix).  If you can use getent to look up users, then pam_unix should 
> be able to as well.
> 
> Doublecheck the credentials that the Solaris ldap client is trying to 
> bind to your ldap server with.  Make sure that those bind credentials 
> are allowed to read the userPassword attribute.  And if you are not 
> using pam_ldap (if you haven't modified /etc/pam.conf, you are using 
> pam_unix) your userPassword attributes must be tagged {crypt}.  Put 
> slapd in debug mode and watch your Solaris box try to bind to the 
> server.  In Solaris 9, the default is to bind anonymously unless you 
> specify an authentication type of "simple" or something like 
> "tls:simple" or your favorite SASL method if you use that (thanks Igor B.).
> 
> When you successfully set up pam_ldap, Solaris will try to bind to the 
> directory as whatever user is trying to log in, so then you can use 
> whatever authentication scheme the ldap server supports if you like.  It 
> authenticates the user as long as the bind is successful.  Then the only 
> access that is needed to the userPassword attribute is auth access.
> 
> There were huge changes to the way LDAP worked between Solaris 8 and 9, 
> so the above might not strictly apply to you.

References:
- bare nuts on solaris 8/9
  - From: Chuck Pierce <chuck@onyxsys.net>
- Re: bare nuts on solaris 8/9
  - From: Scott Moorhouse <smoorhouse@ae-solutions.com>

Prev by Date: Write-intensive LDAP
Next by Date: LDAP Access Control
Index(es):
- Chronological
- Thread